volatility3.plugins.linux.kmsg module
- class ABCKmsg(context, config)[source]
Bases:
ABC
Kernel log buffer reader
- FACILITIES = ('kern', 'user', 'mail', 'daemon', 'auth', 'syslog', 'lpr', 'news', 'uucp', 'cron', 'authpriv', 'ftp')
- LEVELS = ('emerg', 'alert', 'crit', 'err', 'warn', 'notice', 'info', 'debug')
- classmethod run_all(context, config)[source]
It calls each subclass symtab_checks() to test the required conditions to that specific kernel implementation.
- Parameters:
context (
ContextInterface
) – The volatility3 context on which to operateconfig (
HierarchicalDict
) – Core configuration
- Yields:
kmsg records
- Return type:
- abstract classmethod symtab_checks(vmlinux)[source]
This method on each sublasss will be called to evaluate if the kernel being analyzed fulfill the type & symbols requirements for the implementation. The first class returning True will be instantiated and called via the run() method.
- Return type:
- Returns:
True is the kernel being analysed fulfill the class requirements.
- class DescStateEnum(value, names=None, *, module=None, qualname=None, type=None, start=1, boundary=None)[source]
Bases:
Enum
- desc_committed = 1
- desc_finalized = 2
- desc_miss = -1
- desc_reserved = 0
- desc_reusable = 3
- class Kmsg(context, config_path, progress_callback=None)[source]
Bases:
PluginInterface
Kernel log buffer reader
- Parameters:
- build_configuration()
Constructs a HierarchicalDictionary of all the options required to build this component in the current context.
Ensures that if the class has been created, it can be recreated using the configuration built Inheriting classes must override this to ensure any dependent classes update their configurations too
- Return type:
- property config: HierarchicalDict
The Hierarchical configuration Dictionary for this Configurable object.
- property context: ContextInterface
The context object that this configurable belongs to/configuration is stored in.
- classmethod get_requirements()[source]
Returns a list of Requirement objects for this plugin.
- Return type:
- classmethod make_subconfig(context, base_config_path, **kwargs)
Convenience function to allow constructing a new randomly generated sub-configuration path, containing each element from kwargs.
- Parameters:
context (
ContextInterface
) – The context in which to store the new configurationbase_config_path (
str
) – The base configuration path on which to build the new configurationkwargs – Keyword arguments that are used to populate the new configuration path
- Returns:
The newly generated full configuration path
- Return type:
- property open
Returns a context manager and thus can be called like open
- run()[source]
Executes the functionality of the code.
Note
This method expects self.validate to have been called to ensure all necessary options have been provided
- Returns:
A TreeGrid object that can then be passed to a Renderer.
- classmethod unsatisfied(context, config_path)
Returns a list of the names of all unsatisfied requirements.
Since a satisfied set of requirements will return [], it can be used in tests as follows:
unmet = configurable.unsatisfied(context, config_path) if unmet: raise RuntimeError("Unsatisfied requirements: {}".format(unmet)
- Return type:
- version = (1, 0, 1)
- class KmsgFiveTen(context, config)[source]
Bases:
ABCKmsg
In 5.10 the kernel ringbuffer implementation changed. Previously only one process should read /proc/kmsg and it is permanently open and periodically read by the syslog daemon. A high level structure ‘printk_ringbuffer’ was added to represent the printk ringbuffer which actually contains two ringbuffers. The descriptor ring ‘desc_ring’ contains the records’ metadata, text offsets and states. The data block ring ‘text_data_ring’ contains the records’ text strings. A pointer to the high level structure is kept in the prb pointer which is initialized to a static ringbuffer.
static struct printk_ringbuffer *prb = &printk_rb_static;
In SMP systems with more than 64 CPUs this ringbuffer size is dynamically allocated according the number of CPUs based on the value of CONFIG_LOG_CPU_MAX_BUF_SHIFT. The prb pointer is updated consequently to this dynamic ringbuffer in setup_log_buf().
prb = &printk_rb_dynamic;
Behind scenes, log_buf is still used as external buffer. When the static printk_ringbuffer struct is initialized, _DEFINE_PRINTKRB sets text_data_ring.data pointer to the address in log_buf which points to the static buffer __log_buff. If a dynamic ringbuffer takes place, setup_log_buf() sets text_data_ring.data of printk_rb_dynamic to the new allocated external buffer via the prb_init function. In that case, the original external static buffer in __log_buf and printk_rb_static are unused.
new_log_buf = memblock_alloc(new_log_buf_len, LOG_ALIGN); prb_init(&printk_rb_dynamic, new_log_buf, ...); log_buf = new_log_buf; prb = &printk_rb_dynamic;
See printk.c and printk_ringbuffer.c in kernel/printk/ folder for more details.
- FACILITIES = ('kern', 'user', 'mail', 'daemon', 'auth', 'syslog', 'lpr', 'news', 'uucp', 'cron', 'authpriv', 'ftp')
- LEVELS = ('emerg', 'alert', 'crit', 'err', 'warn', 'notice', 'info', 'debug')
- get_caller(obj)
- get_caller_text(caller_id)
- classmethod run_all(context, config)
It calls each subclass symtab_checks() to test the required conditions to that specific kernel implementation.
- Parameters:
context (
ContextInterface
) – The volatility3 context on which to operateconfig (
HierarchicalDict
) – Core configuration
- Yields:
kmsg records
- Return type:
- classmethod symtab_checks(vmlinux)[source]
This method on each sublasss will be called to evaluate if the kernel being analyzed fulfill the type & symbols requirements for the implementation. The first class returning True will be instantiated and called via the run() method.
- Return type:
- Returns:
True is the kernel being analysed fulfill the class requirements.
- class KmsgLegacy(context, config)[source]
Bases:
ABCKmsg
Linux kernels prior to v5.10, the ringbuffer is initially kept in __log_buf, and log_buf is a pointer to the former. __log_buf is declared as a char array but it actually contains an array of printk_log structs. The length of this array is defined in the kernel KConfig configuration via the CONFIG_LOG_BUF_SHIFT value as a power of 2. This can also be modified by the log_buf_len kernel boot parameter. In SMP systems with more than 64 CPUs this ringbuffer size is dynamically allocated according the number of CPUs based on the value of CONFIG_LOG_CPU_MAX_BUF_SHIFT, and the log_buf pointer is updated consequently to the new buffer. In that case, the original static buffer in __log_buf is unused.
- FACILITIES = ('kern', 'user', 'mail', 'daemon', 'auth', 'syslog', 'lpr', 'news', 'uucp', 'cron', 'authpriv', 'ftp')
- LEVELS = ('emerg', 'alert', 'crit', 'err', 'warn', 'notice', 'info', 'debug')
- get_caller(obj)
- get_caller_text(caller_id)
- classmethod run_all(context, config)
It calls each subclass symtab_checks() to test the required conditions to that specific kernel implementation.
- Parameters:
context (
ContextInterface
) – The volatility3 context on which to operateconfig (
HierarchicalDict
) – Core configuration
- Yields:
kmsg records
- Return type:
- classmethod symtab_checks(vmlinux)[source]
This method on each sublasss will be called to evaluate if the kernel being analyzed fulfill the type & symbols requirements for the implementation. The first class returning True will be instantiated and called via the run() method.
- Return type:
- Returns:
True is the kernel being analysed fulfill the class requirements.